/ 
Apache-MSIISProbes-1.08
/ Apache::MSIISProbes

NAME

Apache::MSIISProbes -
Responds to worm attacks on Microsoft Internet Information Servers with e-mail warnings.

SYNOPSIS

In your httpd.conf, put something similar to the following:

<Location /default.ida>
  SetHandler perl-script
  PerlHandler Apache::MSIISProbes
  PerlSetVar worm_name CodeRed
  PerlSetVar worm_url http://www.microsoft.com/technet/itsolutions/security/topics/codealrt.asp
</Location>

DESCRIPTION

This Perl module should be invoked whenever the worms it
knows about attack. We don't have to worry about such
attacks on non-Windows boxes, but we can be good Internet
citizens, warning the webmasters on infected machines of the
problem and how to solve it.

The module allows the user to add new configuration
directives as new worms are discovered.

USAGE

In your httpd.conf, put directives similar to the following:

<Location /default.ida>
  SetHandler perl-script
  PerlHandler Apache::MSIISProbes
  PerlSetVar worm_name CodeRed
  PerlSetVar worm_url http://www.microsoft.com/technet/itsolutions/security/topics/codealrt.asp
</Location>

<LocationMatch (cmd.exe|root.exe)>
  SetHandler perl-script
  PerlHandler Apache::MSIISProbes
  PerlSetVar worm_name Nimda
  PerlSetVar worm_url http://www.microsoft.com/technet/security/topics/Nimda.asp
</LocationMatch>

Duplicates

$store = 1; # Send mail for every attempt
$store = 0; # Only send mail once per cache period

Although rumor has it that CodeRed and other similar worms
only attack a given IP once from a given host, experience
shows this to be false. You can control the behavior of
MSIISProbes.pm when it encounters a second or subsequent
attempt from a given IP address. By default MSIISProbes.pm
keeps a cache of IP addresses from which an attempt has
originated, counting attempts per worm from the IP and
including the count in each message it mails.

You can override this behavior and send a message only the
first time a given host attempts to spread the worm in a given
period by setting the variable $store to a false value. This
will cause the cache to be cleared at a given interval (by
default, one day). Mail alerts to the IIS server's
administrators will be sent only once per cache period.

Volume

$soa_only = 1; # only send mail to the Start of Authority
$soa_only = 0; # send mail to address at the IP's MX also

You can also control the "volume" of the module using the 
$soa_only flag in the configuration. This variable controls
the number of addresses to whom e-mail alerts are sent when
an attempt to infect your server is made. Experience has shown
that many administrators do not have their MX records set up
correctly. This can lead to frequent bounced mail when the module
is in its default configuration ($soa_only = 0).

If you set $soa_only to a true value, the module will only attempt
to resolve the Start of Authority for the attacking IP. This will 
usually result in mail being sent to the SOA contact address plus 
abuse@ the SOA's domain.

If you set $soa_only to false, the module will additionally attempt
to resolve the IP's MX host and send mail to postmaster@, webmaster@,
and administrator@ that domain. This is a potential total of 5
messages (plus Security Focus) per attempted infection.

Statistics

You may wish to see the statistics for the various worms you
are catching with MSIISProbes.pm. The module supports this
through setting the value of the query string argument 'stats'
to one of the worm names you defined in httpd.conf, for
example like this:

http://my.server.com/cmd.exe?stats=CodeRed
or
http://my.server.com/foo.bar?/c+dir&stats=Nimda

Just make sure to attache the query string to a URL that will
be caught by your configuration of the module! Also please note
that the statistics provided are of your cache, so if you are
clearing entries after one day the statistics will obviously
not be cumulative!

AUTHOR

Author: Nick Tonkin (nick@tonkinresolutions.com)

Based on CodeRed.pm by Reuven M. Lerner (reuven@lerner.co.il),
with ideas from Randal Schwartz, David Young, and Salve J. Nilsen.

COPYRIGHT

This code is copyright 2001 Nick Tonkin. All rights reserved.

LICENSE

You may distribute this module under the same license as Perl itself.

CHANGES

v1.08
Added the requested URI to the body of the e-mail message sent to
server admins, since some apparently refuse to take action without
it (requested by Tom Moore)

v1.07
Added $soa_only var to config, allowing more control over the volume.
Corrected deprecated URL for this module's home page.

v1.06
Updated docs to reflect correct httpd.conf sections (Steve Neuharth)

v1.05
Fixed bug where mail could get sent to the local server admin if the
remote IP address doesn't resolve to a host name (in certain environments)
(reported by Bruce Albrecht)

Fixed typo in page headline for statistical report (spotted by Alex Vandiver)

v1.04
Added code to provide statistics on the Cache (suggested by Paul DuBois)

v1.03
Added code to get e-mail for the SOA of the host (Brice D. Ruth)

Cut the DNS Resolver's timeout to 20 seconds

v1.02
Moved the URL for info for each worm into PerlSetVar in httpd.conf

SEE ALSO

Apache.